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PLEASE RETURN COMPLETED QUESTIONNAIRE TO ANDY CADEL 

AT 

Cadel_a@jpmorgan.com 

CONFIDEmiAL 

This Is A 
Confidential Disclosure 
For Your Attorney's Use Only 
Use It To Record Your Invention 

The following is a short guide and questionnaire designed to elicit the 
information necessary to assess the patentability of your idea. 

ASSESSING THE PATENTABILITY OF YOUR IDEA 

There are three questions you should ask yourself when you begin the patent 
process: 

1. What process/product is already available to do what your patent would 
accomplish? 

2. What makes your process/product better? 

3. Will you know if other people/companies are using your patented product 
or process? 

If any of the questions below are unclear, or you have specific issues 
regarding patents, please do not hesitate to call Andy Cadel at 212-622 5139. 
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CONFIDENTIAL 



This Is A 
Confidential Disclosure 
For Your Attorney's Use Only 
Use It To Record Your Invention 



By answering the questions in this form, you will begin the important process of looking 
carefully at your idea as well as documenting your invention. When properly completed, this 
form is useful in conducting patentability or infringement searches, preparing and prosecuting 
patent applications, and proving the date of your invention in legal proceedings. 

To be patentable, an invention must be new, useful (or ornamental in the case of a 
design patent) and non-obvious. Certain acts by you or others that pre-date the 
filing of a patent application on your invention may preclude you from obtaining a 
valid patent in the USA and/or in many foreign countries. Accordingly, a patent 
application should be prepared and filed in the U.S. Patent and Trademark Office 
prior to any disclosure or commercial use. If this is not possible, arrangements 
should be made for the disclosure to be made subject to a non-disclosure or 
confidentiality agreement. There is a one-year grace period under U.S. patent law 
for disclosure of any invention prior to the filing of an application, but it should be 
relied upon only if you know that you have no interest in protection outside the 
United States. 

As an applicant for a U.S. patent, you are required to disclose to the U.S. Patent 
and Trademark Office all prior products, publications and other prior activities 
known to you which are similar to or closely related to your invention so that the 
Patent Office can fairly measure and evaluate your invention. Please note that this 
prior art includes your own prior products as well as those of competitors, 
regardless of whether or not such products have ever been patented and is limited 
neither to the banking industry, nor to the United States. 

Please answer these questions to the best of your present knowledge and ability. 
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1 . The title that you believe best describes the invention. 

A system and method for providing Sinele-Sien On amongst systems v^ ith diverse authentication 
and entitlements schemes 

2. If the invention is an improvement on or of another product, machine, system or process, 
identify that other product, machine, system or process. ^ 

Improvement over the existing multiple login schemes when using Dom ino Notes Server, IWR. 
etc. 

3. Identify the JP Morgan Chase line of business for which the invention was developed. 
Global Credit Risk Management 



4. U.S. law requires that the actual inventor or inventors be designated in any U.S. patent 
application. If you did not conceive of this invention alone, identify all person(s) (full names, 

addresses, and citizenship) whom you believe to have created the invention. ,. 

Srinivasan N. Rao . 277 Park. New York. Indian Citizen 
Lioun Chen . 277 Park. New York. US Citizen 

Bruce Skingle, Floor 1, London, EC3V3DX, United Kingdom, UK citizen 



5. Were any of the persons identified in question 4 above employed by third party (i.e., not a 
JP Morgan Chase employee)? If so, identify such party and provide any agreement relating 
thereto. 
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6. On what date was the first written description of this invention made (provide the closest 
date known); by whom was it made? State the first written description and attach a copy (if 

available). ^ — — 

Febniarv2003 ^ — — 



7. On what date was the first drawing or sketch of the invention made (provide the closest 

date known); by whom was it made? Attach a copy (if available) 

March 2003 



8. When was the first disclosure (if any) of the invention made to anyone outside the JP 
Morgan Chase enterprise (when, where, by whom, to whom) and what was the nature of the 
disclosure? 



9. When was the earliest known use of the invention (and was it secretive, experimental or 

commercial)? ^ — — 

May 2003 - experimental. Julv - production within JPM ___ 

10. When (if at all) was the invention first marketed or offered for sale (date, where, to and 
by whom)? , 
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1 1 . When was the invention first actually constructed or used in a production environment 
(provide date, location of records of field testing or experimental work which shows or tends to 
show the operability of the invention; describe the work done)? 



Constructed : Mav 2003 for IWR. June 2003 for Dom ino Notes Server 
Currentlv UAT completed. Deployment in Produc tion : Julv 2003 



12. If you have not yet publicly disclosed the invention, when is your planned release date of 
the product or your planned announcement date? July 2003 _ 



13. List the specific problems that the invention solves. Allows users to use their JANUS 
credentials to access assets in Domino servers and other HTTP servers without requiring multiple 
logins provided these various servers relv on some Commo n Reference data which uniquely 
identifies the JPM user (like GID or "C ommon Name"). 



14. List the features of the invention that you believe are different from current processes or 
products of which you are aware. The current alternative is to m ake the user Ice in multiple time 
when using JANUS and . sav. Domino Server 



15. hi light of these new feamres, what are the advantages and disadvantages of the invention 

compared to current processes or products of which you are aware? _ 

Advantage : Lightweight. 
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Disadtvantage : Requires some effort on the part of the back-end HTTP application to ensur e that 
the JANUS ids translate to its own native Ids on which its entitlement system might be based. 



1 6. Describe variations (if any) or future improvements of the invention which you presently 
recognize. 



17. Describe, in general terms, the future development or testing of the invention which you 
contemplate, if any. 



1 8. To the best of your present kjiowledge, was the invention known or used or marketed by 
someone else in the world before the present invention was made by you? If so, when, where, 
and by whom? — 



19. Has the invention been patented or described in a printed publication in any country? If 
so, when and where? __ — 



20. So far as you are presently aware, has anyone copied your invention or developed a 
competing product? If so, who, when and where? , _ _ 
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21 . Does the JP Morgan Chase enterprise have any partners or others with whom it is 
working on this invention (e.g., contractors, vendors or consultants)? If so, list their names and 
addresses and provide any agreements which reflect such relations. _ 



22. What companies or organizations, or types of companies and organizations, do you think 
would possibly be interested in this invention? Anv oreaniza tion which wishes to provide a 
single-sign on solution between its corporate standard SSO system (w hich, for HTTP, in our 
case, is JANUS^ and systems like Domino SSO or Intrasnect which are 3^" ^ partv systems and 
often based on their own authentication models. 



23. What is the cost center number associated with the invention? 57942 



Signature of the Inventor or Other Person Preparing 
this Form 

Srinivasan N. Rao 
Typed or Printed Name 

26^' floor, 277 Park , New York 



Full Address 

212^622-0570 
Telephone Number 



PLEASE RETURN COMPLETED QUESTIONNAIRE TO ANDY CADEL AT 

Cadel_a@jpmorgan.com 



July 07. 2003 
Date 



258088:vOl 



7 



> 

USE THIS SPACE TO DESCRIBE YOUR INVENTION 



If you already have functional specifications, process flows and/or business requirements, 
they may be adequate. Simply attach them to this form. Please do not reinvent the wheel 
Always start with any documentation developed to date. If more information is needed, it will be 
requested at a later time. 

If, however, there is no documentation, set forth in your own words what your invention is, how 
your invention works, and its advantages. Provide process flows of your invention and attach to 
this form. If necessary, use additional sheets of paper for this description. 
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Alex R Pagano To: Camille Payne/Lowenstein@Lowenstein 

07/08/2003 08:35 PM SubjeS: Re: Applying for patents£cReST 

Please do the usual., I let you know to whom the case is assigned. 




Alex R. Pagano, Ph.D. 
Registered Patent Agent 
Lowenstein Sandler PC 

65 Livingston Avenue / ' ^ 

Roseland, N J 07068 -^// ^ 

dir. dial: 973-597-6202 ^ 
fax: 973-597^6203 
Cell: 973-476-1220 

Secretary: Camille Payne 973-597-2500 

Forwarded by Alex R Pagano/Lowenstein on 07/08/2003 08:30 PM — 

cadel a@Jpmorgan.co To: APagano@lowenstein.com 

^ ^ cc: ezlmmerman@lowensteln.com 

07/08/2003 05:35 PM Subject: Re: Appbrtng for patents - CReST 




Another prospect. 
Andy 

Andy Cadel 

J. P. Morgan Chase & Co. 

Vice President & Assistant General Counsel 
(212) 622 5139 

!!^!HSrwa?Srb5^^ N cadel/ JPMCHASE on 07/08/2003 05:34 PM ' 

Srinlvasan Rao 

To: Andrew N 

Cadel/JPMCHASE® JPMCHASE 

07/07/2003 04:48 CC : 

PM Subject: Re; Applying for 

patents (Document link: Andrew N Cadel) 



ThaLs for the info. I have compiled some info, which hopefully shed more 
light on the "invention" we are trying to patent. I may have missed it, but 
I'll be happy to submit it on the IBPatents web site if it has the 
functionality to do. 

The first implementation of this is planned to be rolled out into 
oroduction in July 2003 (we are in UAT currently) and pertains to the 
Somino server (which is an IBM Notes product), and will allow our users to 
seamlessly access our web offering both on our Janus -protected web sites 
and on Domino by logging in just once through our Janus -protected web site. 
5anur(as ySS mly know) is the SSO system used by many of the JPM websites 
(including MorganMarkets) . While this implementation is specific to 
ianus-Domino, the principles are applicable to other cases where need to 
integrate Janus -protected websites with other web services which have their 



own complex "entitlement scheme". In other words, this model allows one to 
rely on Janus to answer the question "who is this person", while allowing 
one to rely on one's own business-specific logic/system to answer the 
question "what can this person access or do on my web application". 

The disclosure info, (somewhat sketchy) -> (See attached file: 

Disclosure Form SSO.DOC) ^v.^^ 

Details of^the Architecture (specific to Domino Servers) -> (See attached 

file: Doraino_PA.ppt) 

Please let me know if I can do anything more to shed light in re this 
" invention" . 

Many thanks. 
Sri 

(GDP : 622-0570) 



Legal 212 622 5139 



Andrew N Cadel 



Rao/ JPMCHASE® JPMCHASE 

07/07/2003 03:21 
PM 

patents (Document link: Srinivasan Rao) 



To: 



CC : 



Srinivasan 



Subject: Re: Applying for 



Sri, 

Good to hear from you. If you type "ibpatents" in IE it will take you to 
the IBTech Patent page. There "s a form (called the disclosure form) that 
Quides you through the information we'll need. Also, any pre-existing 
documentation or management presentations are also helpful. Of course, 
feel free to call with any questions, etc. 



Andy 

Andy Cadel 

J. p. Morgan Chase & Co. 

Vice President & Assistant General Counsel 
(212) 622 5139 
cadel a@jpmorgan.com 



Srinivasan Rao 

Cade 1 / JPMCHASE® JPMCHASE 

07/07/2003 10:18 
AM 



To: 



CC; 



Andrew N 



Subject: Applying for patents 



SS'^^wently came up with a Single Sign-on solution between Janus and Domino 
and I am wondering if we can apply for patent for it ? Is there a set of 



guidelines in terms of what "inventions" are appropriate for application of 
patent ? Also, is there a standard format in which I need to provide the 
info, {assuming this invention of ours "qualifies" for the purposes of 
applying for a patent) ? 

Thanks . 
Sri 

(GDP : 212-622-0570) 



Disclosure Form SSO.DC Domino PA.ppt 
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Aiex R Pagano 

07/09/200311:02 AM 



To: George D MorQan/Lowenstein@Lowenstein 
cc: Camille Payne/Lowenstein@Lowensteln 
Subject: Re: Applying for patents - CRgSTQ 



George. Glen has talked to Mike and agrees that you can take both of the new chase cases. Camille will 
open the files, please contact Andy and let him know you will be taking the cases and so that he can set 
up first inventor interviews, thanks 

George D Morgan 



George D Morgan 
07/09/2003 09:53 AM 



To: Alex R Pagano/Lowenstein 
cc: 

Subject: Re: Applying for patents - CReSTQ 



Hi Alex, I can take one or two of the JPM's 
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Single Sign-On with Notes Domino 
14846-32 



George D. Morgan 
Lowenstein Sandler PC 

This invention involves an authentication "plug-in" module that acts as an interface 
between a corporate sign-on system (e.g., JANUS) and an internal server (e.g., Domino 
Server) used by the same entity. The authentication module takes advantage of the fact 
that a user request received from the sign-on module guarantees that the user has already 
successfully gone through the authentication process. Once the user has been 
authenticated by the sign-on system (e.g., entered a valid corporate ID and password), the 
sign-on system sends the request to the authentication module. The authentication 
module then checks the IP address to verify that it matches the expected IP address of the 
sign-on system. (If it does not match, the logon attempt fails.) The authentication 
module then examines entitlement information in the header record. In the case where 
the system is a Domino server, the entitlement information would include the user's 
e-mail address. The e-mail address would have been placed into the header by the sign- 
on system using a table look-up. The index for the table look-up would be the corporate 
ID. Other systems may have different requirements. For example, another system might 
be passed an Employee ID. One of the advantages of this arrangement is that only 
"entitlement" information needs to be sent. Authentication information, such as 
password infonnation, is not generally needed because the user has already been 
authenticated by the sign-on system. Next, certain data structures (e.g., Domino-CN) 
may need to be populated. In terms of an actual implementation in a Lotus Domino 
environment, the authentication module can be loaded into the Domino System 
Application Program Interface (DSAPI) library. When the Domino server is initially 
called, the authentication module performs the functionality outlined above. 



Monday, October 01, 2007 7:40 PM 
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srinivasan.n.rao@jpmo To: GMorgan@lowenstein.com 

rgan.com . . . ^ * ^ 

Subject: Re: Applying for patents 

08/04/2003 05:28 PM 



The plug-in does not "validate" the Common Name (which is in the header of 
the request) but simply takes it from the header and puts it into a DSAPI 
structure which Domino can access and then say : "ok, I know this guy now 
what can he see or not see". It is like Domino can take from my left pocket 
while the Common Name is in my right pocket. The DSAPI plug- in we wrote 
makes sure the request is from the correct IP address (of 
reverseProxy) , makes sure the request has the Common Name in the header 
(right pocket) , takes it from the header (right pocket) and moves it to the 
Domino buffers (left pocket) , and tell Domino - I know this chap and have 
authenticated him so deal with this request. 

The "Common Name" is populated (not by the plug -in but before the request 
gets to the plug- in) in the header based on the JANUS ID. Each employee who 
is granted access to the web site has a Janus ID (for ex., gmorgan) . This 
ID is associated with the person's employee number, which is turn is 
associated with the person's DOMINO "Common Name". So when a person logs 
into JANUS using the JANUS ID of gmorgan, we can reliably derive this 
person's "Common Name" from the Reference data tables (hence the data is 
already validated) . 

Hope this clarifies the matter. 

Regards . 
Sri . 



GMo r g a n® 1 owen s t e i 
n. com 

srinivasan . n . rao® jpmorgan , com 



To: 



CC : 



patents 



08/04/2003 05:06 
PM 



Subject: Re: Applying for 



Question 

With regard to step 2 "Extract Common Name" , it appears that you are 
validating the CN information. 

Can you explain this step? Can the plug-in validate the e-mail address by 
itself? 

srinivasan . n . rao®j 
pmorgan. com 
gmorgan@lowenstein . com 

cadel a@jpmorgan.com 

08/04/2003 12:49 
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CC : 

Subject: Re: Applying for 
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SINGLE SIGN-ON AUTHENTICATION SYSTEM 

Field of the Invention 

The present invention relates generally to computer network security, and, more 
5 particularly, to a system and a method for enabhng a secure single sign-on to a computer 
network. 

Background of the Invention 

Currently, many companies employ computer networks that require users to 
10 separately sign-on to individual systems. For instance, a user may be required to sign-on 
to one computer system in order to access a spreadsheet application and then to another 
to access an e-mail application. Very often, users are prompted for a different user id and 
password during each sign on. The user must then remember several different user id's 
and passwords. 

15 In an attempt to deal with this problem, some vendors offer single sign-on (SSO) 

capability. However, conventional SSO systems typically entail complex authentication 
schemes. For example, U.S. Patent No. 5,684,950 to Dare et al., entitled "Method and 
System for Authenticating Users to Multiple Computer Servers Via a Single Sign-On," 
discloses a method for authenticating a user to multiple computer servers. The method 

20 involves an authentication broker which receives an authentication request. The 
authentication broker then validates the request and issues a token. Once the user's 
workstation has received the token from the authentication broker, it then sends the token 
to the server that it wishes to interact with, to indicate that it has been authenticated. 

14846/32 

09/03/2003 1429104.01 




Although useful, SSO schemes such as the one described above involve 
a significant amount of overhead. Accordingly, improved SSO systems and methods are 
needed. 



5 Summary of the Invention 

The present invention provides a technique for enabling a secure, single sign-on 
to a computer network that requires comparatively less complexity and overhead than 
conventional single sign-on methods. 

A single sign-on authentication system includes an authentication component that 

1 0 determines whether a user is authenticated, and, if it is determined that the user is 
authenticated, generates a connection request, the connection request including an 
identifier and entitlement information. The system also includes an interface component 
that receives the connection request from the authentication component. The interface 
component compares the received identifier with an expected identifier. If they match, 

1 5 the interface component makes the entitlement information available to a server 
associated with the interface component. 

A method for enabling an authenticated user to connect to a server in a computer 
network includes receiving a connection request for an authenticated user, the connection 
request including an identifier and entitlement information; comparing the received 

20 identifier with an expected identifier; and, if they match, making the entitlement 
information available to the server. 
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These and other aspects, features and advantages of the present invention will 
become apparent from the following detailed description of preferred embodiments, 
which is to be read in connection with the accompanying drawings. 

5 Brief Description of the Drawings 

FIG. 1 is a block diagram showing an exemplary single sign-on authentication 
system; and 

FIG. 2 shows a flow diagram outlining an exemplary technique for processing a 
connection request. 

10 

Description of Preferred Embodiments 

The present invention takes advantage of the notion that once a user has 

successfully signed on to a network, any computer system in the network receiving a 

connection request need only verify that the connection request was received from the 
1 5 network's sign-on component. If the connection request originated with the sign-on 

component, then there is no need to again query the user for authentication information 

and to authenticate the user. 

FIG. 1 is a block diagram of an exemplary single sign-on authentication system 

100. The single sign-on authentication system 100 includes a terminal 1 10, a sign-on 
20 component 120, and a server 150. The server 150 includes an interface component 152 

and a request processor 154. While this system 100 includes a single terminal 110 and a 

single server 1 50, it is to be appreciated that typically there would be numerous other 

terminals and servers connected to the sign-on component 150. 
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In operation, a user interacting with the terminal 1 10 is presented with a sign-on 
screen (not shown). The user then enters authentication information using this screen. 
The entered authentication information is then transmitted to the sign-on component 120. 
In general, authentication information includes any information used to verify a person's 
5 identity to ensure that the person has access to a particular computer network. 

Commonly, authentication information includes a unique identifier and a password. In an 
alternative embodiment, the terminal 1 10 includes a biometric device (e.g., fingerprint 
reader, retina scan) which may instead, or in addition, be used to verify the user's 
identity. 

10 Once the authentication information is received by the sign-on component 120, it 

can be used to determine whether the user is authorized to use the network. This can be 
done, for example, by comparing the received authentication information with 
information on file regarding valid users. 

After the user is authenticated, the sign-on component 120 preferably determines 

1 5 which systems in the network the user may access. The user might be prompted to select 
which of the systems to access. Alternatively, the selection process could be 
accomplished automatically (e.g., via a script). The sign-on component 120 also 
preferably determines the entitlement information needed by each of the individual 
systems that the user will access. In general, entitlement information includes 

20 information used by an individual computer system to assign system resources and/or 
establish user preferences. The sign-on component 120 then issues several connection 
requests, each to connect to one of the selected systems. 
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FIG. 2 is an exemplary flow diagram outlining an exemplary technique for 
processing a connection request. 

In step 202, header information from the connection request is obtained. This 
header information will generally include a source identifier and entitlement information, 

5 Assuming that the connection request is an HTTP request, the source identifier will 
include an Internet Protocol (IP) address. In general, an IP address is a 32-bit binary 
number that uniquely identifies a host (computer) connected to the Internet, for the 
purpose of communication through the transfer of packets. The use of IP addresses is 
part of the standard transmission control protocol/Internet protocol (TCP/IP), 

10 Next, in step 203, a determination is made as to whether the IP address is valid. 

Since the sign-on component 120 will have a known IP address, verification of the IP 
address can be accomplished by simply comparing the obtained IP address against the 
known IP address of the sign-on component 120. If the IP address cannot be verified 
(i.e., it doesn't match), control passes to step 204, where a message indicating an invalid 

15 connection is returned; otherwise, control passes to step 204. 

In step 204, a determination is made as to whether the entitlement information is 
in the correct format. If this information is not in the proper format (or isn't present), 
control passes to step 205, where a message indicating an invalid connection is returned; 
otherwise, control passes to step 206. (The format of the entitlement information will 

20 vary depending on the particular application. For example, if the information includes 
the user's e-mail address, the format could be xxxxx@xxxxx.com y 

In step 206, the request processor 154 is called. When the request processor 154 
is called, the entitlement information (e.g., e-mail address) can be used to establish access 
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to the system. The request processor assigns resources and/or preferences using the 

entitlement information. Once access has been established, the user may thereupon 

directly connect to the server 1 50. The process terminates in step 207. 

It is be understood that the method outlined above an be implemented in various 
5 forms of hardware, software, firmware, special purpose processors, or a combination 

thereof. Preferably, the present invention is implemented in software as a program 

tangibly embodied on a program storage device. 

It is also to be understood that, because some of the constituent system 

components and method steps depicted in the accompanying figures are preferably 
1 0 implemented in software, the actual connections between the system components (or the 

process steps) may differ depending upon the manner in which the present Invention is 

programmed. 

The invention will be further clarified by the following example: 
15 Example 1 

A user accesses a corporate intranet using a personal computer. The user^s 
computer employs the Microsoft Windows operating system, and includes the Internet 
Explorer browser. The user must enter a unique identifier and a password to sign on, 
20 The user has access to a Lotus Notes e-mail system ruiming on a Domino Server, 

securely maintained in the same facility as the sign-on system. The "interface 
component" is a Domino System Application Program Interface (DS API) plug-in 
module. The DSAPI plug-in module is maintained on a DSAPI library. 
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In operation, the user connects to the corporate intranet using the browser. The 
user then is queried for his user identifier and password. The user enters this information 
into the screen. The entered information is then transmitted to the sign-on component, 
where it is validated. The sign-on component then searches for systems that the user is 

5 entitled to access. It is determined that the user has access to the Lotus Notes e-mail 
system. The sign-on component then consults a cross-reference file, and finds the user*s 
Lotus Notes e-mail address. The sign-on component calls the Domino Server. When the 
Domino Server is initially called, it invokes the DS API plug-in module. The module 
checks the IP address of the request packet to make sure that it matches the expected 

10 address. Assuming it matches, the module then formats a Common Name (CN) data 
structure with the e-mail address (and other information). The Domino Request 
Processor then uses the Domino-CN, to provide the user with appropriate access. 

Although illustrative embodiments of the present invention have been 
described herein with reference to the accompanying drawings, it is to be understood that 

15 the invention is not limited to those precise embodiments, and that various other changes 
and modifications may be affected therein by one skilled in the art without departing 
from the scope or spirit of the invention. 

20 
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WHAT IS CLAIMED IS: 

1 . A single sign-on authentication system, comprising: 

5 an authentication component that determines whether a user is authenticated, and, 

if it is determined that the user is authenticated, generates a connection request; 

an interface component that receives the connection request from the 
authentication component, the connection request including an identifier and entitlement 
information; wherein the interface component compares the received identifier with an 

1 0 expected identifier and, if they match, makes the entitlement information available to a 
server associated with the interface component. 

2. A method for enabling an authenticated user to connect to a server in a computer 
network, comprising: 

1 5 receiving a connection request for the authenticated user, the connection request 

including an identifier and entitlement information; 

comparing the received identifier with an expected identifier; and 

making the entitlement information available to the server, only if the result of the 

comparison is a match. 

20 

3. The method of claim 2, wherein the entitlement information is different from 
information used to authenticate the authenticated user. 

4. The method of claim 2, wherein the received identifier is an Internet Protocol (IP) 
25 address. 



-8- 




5. The method of claim 3, wherein the entitlement information is determined based 
on the authentication information. 

6. The method of claim 5, wherein the infomiation used to authenticate the 
5 authenticated user includes one or more of a user identifier and a password. 

7. The method of claim 2, wherein the entitlement information is contained in a 
header portion of a data packet. 

1 0 8. The method of claim 2, wherein the connection request is sent as an HTTP 
request. 

15 
20 
25 
30 
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SINGLE SIGN'ON AUTHENTICATION SYSTEM 
Abstract of the Disclosure 

A single sign-on authentication system includes an authentication component that 
5 determines whether a user is authenticated, and, if it is determined that the user is 
authenticated, generates a connection request, the connection request including an 
identitler and entitlement information. The system also includes an interface component 
that receives the connection request from the authentication component. The interface 
component compares the received identifier with an expected identifier. If they match, 
10 the interface component makes the entitlement information available to a server 

associated with the interface component. A method for enabling an authenticated user to 
connect to a server in a computer network includes receiving a cormection request for an 
authenticated user, the connection request including an identifier and entitlement 
information; comparing the received identifier with an expected identifier; and, if they 
1 5 match, making the entitlement information available to the server. 
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